I generated a CSR through the vCenter web interface (Administration>Certificate Management>Machine SSL Certificate>Actions>Generate CSR). I submitted the csr and got the certificate back, but I need the private key file. Can anyone tell me where on the vcenter server the csr generation process would have put that by default? Most of the documentation I've seen is for the certificate manager command and uses a switch for the file location, but there isn't much documentation for the web client.
Thanks.
Well, I finally managed to get back into the vcenter web consoles by clearing the HSTS settings. In the browser.
How to clear HSTS settings in Chrome and Firefox
Be aware that if you get a message like the one below, it tries to pin the rap on the website.
"Warning: Potential Security Risk Ahead
Firefox detected a potential security threat and did not continue to 172.28.211.35. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.
What can you do about it?
The issue is most likely with the website, and there is nothing you can do to resolve it.
If you are on a corporate network or using anti-virus software, you can reach out to the support teams for assistance. You can also notify the website’s administrator about the problem.
Learn more…
Someone could be trying to impersonate the site and you should not continue.
Websites prove their identity via certificates. Firefox does not trust 172.28.211.35:5480 because its certificate issuer is unknown, the certificate is self-signed, or the server is not sending the correct intermediate certificates.
Error code: SEC_ERROR_UNKNOWN_ISSUER"
Why not add this to your existing thread rather than start another?
Solved: Create new csr for vCenter ssl cert
I considered doing that, but since I marked it with a correct answer, so I don't think many people will look at it unless they're having the first issue I wrote about. Since this is a completely separate certificate issue, I also figured it would be better to start a new thread.
Thanks.
Found the answer in this reddit thread.
vCenter 6.7 Replacing Machine Cert Private Key Help : vmware
Run command:
/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store MACHINE_SSL_CERT --alias __MACHINE_CSR > /path/filename.key
Looks like I wiped out the key while I was testing, so I'll need to start over. I'd also like to submit a bug report to vmware so they can add a way to save the key somewhere when the csr is generated in the web client. If someone could point me in the right direction for that, I'd appreciate it.
So I got a new cert and applied it. It's working correctly for the 5480 management page, but I get an error when I try to go to the vcenter client page. Any ideas?
Keeps getting worse. I reverted to the snapshot I created before installing the new certificate, and now I get this message on both the web client and the vami:
"(server URL) has a security policy called HTTP Strict Transport Security (HSTS), which means that Firefox can only connect to it securely. You can’t add an exception to visit this site.
The issue is most likely with the website, and there is nothing you can do to resolve it."
Well, I finally managed to get back into the vcenter web consoles by clearing the HSTS settings. In the browser.
How to clear HSTS settings in Chrome and Firefox
Be aware that if you get a message like the one below, it tries to pin the rap on the website.
"Warning: Potential Security Risk Ahead
Firefox detected a potential security threat and did not continue to 172.28.211.35. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.
What can you do about it?
The issue is most likely with the website, and there is nothing you can do to resolve it.
If you are on a corporate network or using anti-virus software, you can reach out to the support teams for assistance. You can also notify the website’s administrator about the problem.
Learn more…
Someone could be trying to impersonate the site and you should not continue.
Websites prove their identity via certificates. Firefox does not trust 172.28.211.35:5480 because its certificate issuer is unknown, the certificate is self-signed, or the server is not sending the correct intermediate certificates.
Error code: SEC_ERROR_UNKNOWN_ISSUER"